Cleaning Up After Ransomware Attacks Isn't Easy

The experiences of two healthcare organizations that are still recovering from recent ransomware attacks after they refused to pay a ransom illustrate the challenges these incidents pose long after the initial attack.

Aberdeen, Washington-based Grays Harbor Community Hospital and its Harbor Medical Group are still recovering from a ransomware attack that occurred two months ago. Meanwhile, Eye Care Associates, a ophthalmology and optometry practice serving northeastern Ohio, is reportedly still recovering from a ransomware attack that happened about two weeks ago.

Patient Records Targeted

In a statement issued Wednesday, GHCH and HMG say they discovered on June 15 that databases containing electronic medical records were encrypted by ransomware.

Gray Harbor Community Hospital and its Harbor Medical Group say they are still recovering from a ransomware attack that happened two months ago.

"Our IT department shut down servers in order to stop the spread of the virus and preserve data," the statement notes. "Multiple third-party IT cyber and network consultants were immediately called in to assist in efforts to recover the data that was encrypted by the virus. GHCH and HMG notified the FBI of this incident."

The organizations say they have no evidence that any data has been accessed by unauthorized individuals.

The data encrypted in the attack and made inaccessible includes demographics, insurance information, medical history and treatment and billing information, the statement notes.

No Ransom Paid

The Daily World reports that attackers demanded GHCH and HMG pay a $1 million ransom.

But in their statement, the two organizations say that they did not pay a ransom, based on advice from the FBI. "One key issue is that paying the ransom will not guarantee that access to the information will be restored," their statement notes.

"GHCH and HMG do not know who is responsible for the incident, and it is a matter of ongoing investigation," the statement adds.

GHCH and HMG did not immediately respond to an Information Security Media Group request for comment on the attack and the status of the recovery. But in their statement, the organizations tell patients "some of your medical records may be inaccessible as a result of this incident."

The statement notes the organizations "will continue to work diligently with security experts to recover the affected databases and re-establish access to the entire electronic medical record, however, this may not be possible."

Eye Care Associates Attack

Youngstown, Ohio-based Eye Care Associates is also reportedly struggling with remediation following a ransomware attack two weeks ago.

The Business Journal Daily reported on Wednesday that Eye Care Associates' computer system was still down, although operations were expected to be "fully restored in the next day or two" following a ransomware attack on July 28, citing a police report filed Monday.

Eye Care Associates was attacked two weeks ago and is still reportedly recovering from the ransomware incident.

"The attack failed in that the directors of the physician-owned medical practice decided not to respond to an email that would tell them how much money had to be paid to the unlock the system," Business Journal Daily reports.

But the business operations of the practice, including patient appointment scheduling, has reportedly been disrupted.

Eye Care Associates did not immediately respond to an ISMG request for comment, and as of Thursday, it did not yet appear to have issued a public notification about the data security incident.

Difficult 'Clean Ups'

Organizations that refuse to pay a ransom and choose instead to recover from a ransomware attack by using backups and other methods need to be prepared for difficulties, some security experts note.

"Recovery from a ransomware attack is not trivial," says former healthcare CIO David Finn, executive vice president at security consultancy CynergisTek.

Treating patients during the period when data in systems is inaccessible can prove difficult, he notes. "Most places can go a few hours without completely losing track of things, if they have good, documented procedures, but when you get into days or weeks making sure you are collecting and retaining everything is difficult."

Once all the systems are back up, all data manually collected while the computers were down needs to be re-entered, Finn notes. "That can take months. If you haven't been able to drop bills for a week and haven't entered charges, you can create cash flow issues at a time when you can likely least afford not to have the cash."

Restoration Work

Similarly, Keith Fricke, principal consultant at tw-Security, says that ransomware recovery can take an extended period of time.

For instance, an organization's most recent data backups around the time of the attack can potentially contain ransomware encrypted files that were backed up, requiring the entity to use older backups and manually enter more recent data as part of the recovery.

"Large amounts of data requiring restoration from backups can take days to restore, based on the method and age of technology used to do the backups," he adds.

But resorting to paying a ransom is no guarantee of quick recovery, either. Attackers who are paid may fail to provide a decryption key. And the process of paying a ransom can be difficult and time-consuming.

"If the ransom has to be paid, it takes time to set up a digital currency account to pay the ransom," Fricke notes.

"Forensic investigations take time to get to the root cause of the ransomware infection and the scope of data impacted," he adds.

Taking Action

After a ransomware attack, organizations can struggle to restore access to all systems, including electronic medical records, Fricke says.

"An EMR generally does not consist of one database, but rather many databases that are linked together," he says. "These databases may exist on a number of servers. Therefore, it is possible that if only certain servers are infected with ransomware, that only the databases on those systems are impacted."

If an organization discovers an active ransomware infection, it may choose to shut the system down to contain the scope of data encrypted, Fricke notes. "Consequently, some of the data may be encrypted and not all of it."

Preventive Efforts

The best way to avoid the pain of recovering from a ransomware attack is to take critical steps to prevent falling victim, security experts say.

"Patching systems that have vulnerabilities and ensuring backups are frequently performed and tested continue to be the top two ways to prevent and recover from ransomware," Fricke says.

An integral part of any response plan needs to be communication with those impacted, Finn says. "One of the things that many caregivers miss is communicating with customers - patients and the staff that are not on site when the event happens."

When it comes to recovery plans, "don't make assumptions that your backup plans or operational plans are foolproof - try them out and then know, even if they work, unexpected things will happen during the ransom or any event," Finn adds.

"Lastly, understand that after the event is over is when the real work starts. You need to plan for the time, staffing and budgets for recovery."

About the Author

McGee is executive editor of Information Security Media Group's HealthcareInfoSecurity.com media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site, and played a lead role in the launch of InformationWeek's healthcare IT media site.

Operation Success!

Risk Management Framework: Learn from NIST

From heightened risks to increased regulations, senior leaders at all levels are pressured to
improve their organizations' risk management capabilities. But no one is showing them how -
until now.

Learn the fundamentals of developing a risk management program from the man who wrote the book
on the topic: Ron Ross, computer scientist for the National Institute of Standards and
Technology. In an exclusive presentation, Ross, lead author of NIST Special Publication 800-37
- the bible of risk assessment and management - will share his unique insights on how to:

Understand the current cyber threats to all public and private sector organizations;

Develop a multi-tiered risk management approach built upon governance, processes and
information systems;